excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
[email protected]. If you're dying to order the book, send
mail to the same address.
And what about the “hard” option – just plain regulating? You know, just putting network security
requirements into the Federal Register?
We couldn’t ignore that option, I thought. In fact, a lot of the
most critical industries were already subject to government regulation. These
included financial institutions, energy, and telecommunications. And some of
these industries were already subject to cybersecurity regulation. Financial
institutions, for example, must follow a unified set of cybersecurity rules.
But even financial regulators don’t require particular security measures. The
rules are largely procedural, resembling the instructions on a bottle of
shampoo: Institutions must study their
vulnerabilities, cure them, assess the effectiveness of the cure, and repeat.
It’s hard to write rules that go beyond such procedural steps,
because the attackers change tactics faster than regulations can be amended.
What's more, the cost of mandatory security would be very high; it would slow
innovation and productivity growth severely.
Even so, there's a case for mandating particular security measures
for regulated industries. It’s the
Howard Crank problem all over again. Every year, the exponential growth of
information technology makes our lives a little better, our businesses a little
more efficient and profitable. And every year it leaves us a little more
vulnerable to a military strike on our infrastructure that could leave us
without power, money, petroleum, or communications for months.
Large parts of the country could find themselves living like
post-Katrina New Orleans -- but without the National Guard over the horizon.
That risk isn’t part of most companies’ balance sheet. It’s not hard to see
that as the kind of market failure that requires regulation.
But even if there is a market failure, the government still isn’t
well-equipped to solve it. At a minimum, the regulatory agencies would have to
find a way to coordinate and issue standards much faster than they now write
regulations. Today, the practical speed
limit is eighteen months from new idea to final rule. There's not much point in replacing a
predictable market failure with an equally predictable government failure.
And what about all the vulnerable IT networks that are not in the
hands of regulated industries? If they
are compromised, the harm goes beyond the users of those networks. The
compromised machines can be used to attack others, including government
systems. To set standards in that world would certainly require new
Industry, we knew, wouldn’t like any talk about regulation. But
they were fighting the last war. New
security legislation had in fact already been enacted, though in an odd, and
mostly unfortunate, way. Laws have been adopted in all but five states that
require companies to disclose any security breaches that lead to the disclosure
of sensitive customer data. The more the federal government has dithered over
security rules for industry, the more aggressively the states have moved into
the opening. Their breach notification laws are becoming de facto security
regulations for all companies. First, they punish bad security by forcing
companies who are compromised to admit that fact, as long as some personal data
was accessed. Second, in a crude way, they recognize that good security
measures can make notification unnecessary, and that encourages companies to
invest in technologies that are so recognized. For example, many state laws
recognize that encrypted data may be safe even if the system it is stored on
has been compromised. So, naturally, many companies have expanded their use of
encryption to avoid embarrassing breach notifications.
The problem with these laws is that they don’t necessarily point
companies in the direction of real security improvements. Because they only
punish companies for breaches that disclose personal data, they have encouraged
the companies to lock up or discard certain kinds of customer data – rather
than focusing on keeping hackers out of their systems more broadly.
The problem is particularly acute in the area of stolen and lost
laptops. Thousands of business laptops are lost or stolen every day. Usually,
the thief wants the laptop, not the data. But if there is personal data in the
laptop, that data has technically been compromised, thus forcing companies to
send embarrassing notices to everyone whose data was in the computer. After a
few such cases, companies begin to divert their security budget to
double-locking laptop drives with passwords and encryption. Those measures
won’t keep Ghostnet out of their networks, but they get the highest investment
priority because of the peculiarities of state law.
By the same token, state laws expressly recognizing encryption of
data as a defense have artificially heightened the priority that security
offices assign to the deployment of encryption, even though it too would have
done little to block a sophisticated attack. There are plenty of measures other
than encryption that may be equally effective at providing a defense in depth,
but state legislatures have not been able to draft laws that reward more
Finally, state laws vary substantially, creating great tension for
law-abiding companies, which find they cannot actually comply with all of the
different laws. For all those reasons, we noted, there is growing support for a
federal law that would set a single breach disclosure standard. We thought that
such a law could also create incentives for higher cybersecurity standards. In
fact, replacing inconsistent state notification laws with a security-minded
federal law would be a victory for both security and innovation.